The GDPR Fine You Don't Know You're Accumulating: Why Every LLM API Call Is a Compliance Event

Every time your application routes a user's data through an LLM API — their email, their support ticket, their name, their medical question — you're executing a data processing operation under GDPR. Most developers don't think of it that way. They think of it as an API call. The distinction costs companies €20 million, or 4% of global annual turnover, whichever is higher. This is a breakdown of the compliance exposure you're accumulating — call by call — and what it actually takes to close it. What Makes an LLM API Call a GDPR Event GDPR applies to the processing of personal data of EU residents. Personal data is any information that relates to an identified or identifiable person. The scope is broader than most engineers assume: A user's email in a support ticket: personal data A user's first name in a prompt: personal data A description of symptoms from a logged-in user: personal data (and likely special category health data under Article 9) A job title combined with a company name: